su: add info about pam_lastlog to su.1

author Karel Zak <kzak@redhat.com>

Mon, 21 Oct 2013 12:27:30 +0000 (14:27 +0200)

committer Karel Zak <kzak@redhat.com>

Mon, 21 Oct 2013 12:27:30 +0000 (14:27 +0200)
author Karel Zak <kzak@redhat.com>
Mon, 21 Oct 2013 12:27:30 +0000 (14:27 +0200)
committer Karel Zak <kzak@redhat.com>
Mon, 21 Oct 2013 12:27:30 +0000 (14:27 +0200)
diff --git a/login-utils/su.1 b/login-utils/su.1

index 1d8176218a0ff59a725c54420c5e31c07807103d..55c0b8bace4d6f3e111ccce716a80d7056ab277c 100644 (file)
--- a/login-utils/su.1
+++ b/login-utils/su.1
@@ -226,6 +226,20 @@ command specific logindef config file
  /etc/login.defs
  global logindef config file
  .PD 1
+.SH NOTES
+For security reasons
+.B su
+always logs failed log-in attempts to the btmp file, but it does not write to
+the lastlog file at all.  This solution allows to control
+.B su
+behavior by PAM configuration.  If you want to use the pam_lastlog module to
+print warning message about failed log-in attempts then the pam_lastlog has to
+be configured to update lastlog file too. For example by:
+
+.RS
+.br
+session  required  pam_lastlog.so nowtmp
+.RE
  .SH "SEE ALSO"
  .BR runuser (8),
  .BR pam (8),
author	Karel Zak <kzak@redhat.com>
	Mon, 21 Oct 2013 12:27:30 +0000 (14:27 +0200)
committer	Karel Zak <kzak@redhat.com>
	Mon, 21 Oct 2013 12:27:30 +0000 (14:27 +0200)